Docker design questions - 4.14.1+

[kevinruffus]

What is the purpose of using intercontainer certificates rather than an internal only network with nginx serving as the single point of ingress with custom certs/letsencrypt that connects to both the internal network and a bridge net?

I see that you're pulling the cert generator live, which is a break from best practices if I'm not mistaken.

I've also seen several projects recently that require pulling the project files, like this one, which also seems a bit odd to me. Theoretically you shouldn't need to do anything except possibly create a few folders on the host and create/edit the docker-compose and env files.

I'm still digging through files and trying to understand some of the decisions made, so forgive me if I've missed something obvious. I'm just starting to delve into actually creating docker images, so it could just be that I'm not up to speed on current standards.

[kevinruffus]

You could even automate the internal cert creation process based off network info provided in the compose file, as well as set the info in the config files rather than them being hardcoded the way they are currently. I had to manually change several entries to get it to work using - instead of . in the names, including for the certs themselves.

I've got this working so far, but it's a WIP. Was having issues with assigning IPs... because they were probably hardcoded to use 0.0.0.0 in the config files. I'll take a look at that.

docker-compose

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: "3.9"

# networks
networks:
  wazuh-ext:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: wazuh-ext
    ipam:
      driver: default
      config:
        - subnet: ${EXT_SUBNET}/24
          gateway: ${EXT_GATEWAY}
  wazuh-int:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: wazuh-int
    ipam:
      driver: default
      config:
        - subnet: ${INT_SUBNET}/24
    internal: true


volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  wazuh-indexer-data:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:


services:
  wazuh-manager:
    image: wazuh/wazuh-manager:4.14.1
    hostname: wazuh-manager
    restart: always
    environment:
      - INDEXER_URL=https://${WI_INT_IP}:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    networks:
      wazuh-ext:
        ipv4_address: ${WM_EXT_IP}
      wazuh-int:
        ipv4_address: ${WM_INT_IP}
    ports:
      - 1514:1514
      - 1515:1515
      - 514:514/udp
      - 55000:55000
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh-manager.pem:/etc/ssl/filebeat.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh-manager-key.pem:/etc/ssl/filebeat.key
      - /somefolder/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh-indexer:
    image: wazuh/wazuh-indexer:4.14.1
    hostname: wazuh-indexer
    restart: always
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    networks:
      wazuh-int:
        ipv4_address: ${WI_INT_IP}
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh-indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh-indexer.key
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh-indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh-indexer.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml

  wazuh-dashboard:
    image: wazuh/wazuh-dashboard:4.14.1
    hostname: wazuh-dashboard
    restart: always
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://${WM_INT_IP}
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    depends_on:
      - wazuh-indexer
    networks:
      wazuh-ext:
        ipv4_address: ${WD_EXT_IP}
      wazuh-int:
        ipv4_address: ${WD_INT_IP}
    ports:
      - 5601:5601
    volumes:
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh-dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh-dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - /somefolder/wazuh-docker/single-node/config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - /somefolder/wazuh-docker/single-node/config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom

.env

EXT_SUBNET=172.18.25.0
INT_SUBNET=172.18.26.0
EXT_GATEWAY=172.18.25.1
WM_EXT_IP=172.18.25.2
WD_EXT_IP=172.18.25.3
WM_INT_IP=172.18.26.2
WI_INT_IP=172.18.26.3
WD_INT_IP=172.18.26.4

Assumes default users and passwords

[kevinruffus]

It looks like you're addressing some of the things I mentioned in 5.0.0, but some things still are problematic.

I forked the repo and I'm working on updating the compose files for consistency (structure and naming) and proper networking, removing the . in the names of the services, hostnames, etc, and having them be set by env variables, which makes updating things much easier on the dev side and also allows for a little flexibility.

Ideally a nginx container would serve as proxy for all ingress and egress, with the other containers only on a backhaul network, but I suck at nginx configuration as I've worked with it for about 1 hr total. I've got a workaround in place, but it's not ideal.

If I can figure out the workings, I'm going to also try to get references to the hostnames/nodes to be set via env at first run, and have the certs generate at first run, also based on the env variables, again for consistency in naming and to avoid the . in the names issue.